Hey dear readers it’s been awhile,
tldr; How to avoid apple from yelling out your location to their servers
I personally like to use the Searchlight function of OSX, it provides me a fast way to access my files – but this it also sends my geolocation to apple everytime i do a search. This blogpost will be about how to disable or at least prevent the built-in search function „Searchlight“ from sending your IP-location to the Apple Servers.
But first have a look at what’s being sent:
GET /search?q=asd&latlng=48.082000,8.640000&geosrc=wifi,155.643824&storefront=143443-4,13&locale=de-DE&time_zone=Europe/Berlin&calendar=gregorian&key=montana4289 HTTP/1.1
This request was captured during a Burp session.
What you can see here in the Parameters
- q is the Query you send to the the Apple Servers
- latlng is the Latitude and the Longitude of your current (IP) location
I think it’s needless to say that those information should stay private (at least in my opinion). If you want to keep your searches fancy you can stop reading here, preventing the geolocation will change your search experience but you will gain some privacy back 🙂
So the first way – Old School /etc/hosts
The /etc/hosts is a local text file that tells the system how to resolve an IP-Address to a Domain. The clue here is to point the Apple domain api.smoot.apple.com to the localhost address of your machine (127.0.0.1) this will tell the system to resolve every request to api.smoot.apple.com to the localhost address, thus leading nowhere. To do so:
1. Open a terminal
2. sudo vim /etc/hosts
3. Enter the following 127.0.0.1 line api.smoot.apple.com
4. Clean the DNS cache sudo discoveryutil mdnsflushcache
5. All set 🙂
Second Way – Little Snitch
I don’t want to promote anything here, but the Little Snitch software is worth buying. Little snitch helps you to organize every incoming and outgoing connection, you can simply add a rule for the Spotlight search:
You want to disable the locationd Service that tries to connect to gs-loc.apple.com – forever
you are done 🙂 Privacy saved.
If you enjoy this – give me a feedback as a comment here or drop me an email at patrik.fehrenbach(at)it-securityguard.com if you guys are interested i might do a complete writeup about an OSX hardening.
Greetings readers, today i want to share with you one of my latest findings on Paypal.com.When creating an invoice Paypal allows the users to upload attachements for the invoices one attachement that they allow is a XML file. What the developer may missed here is that you can actually insert HTML into XML files, the namespace allowing this for XML files is called xmlns and a valid xmlns file would look something like this :
When i uploaded a file with this content and the ending.xml the intepreter on Paypals site executed the Payload (in this case the alert 1). To fullfill the requirements for a bounty you always have to make such a vulnerability exploitable and therefore a risk for other Paypal Users. In this case it was pretty easy, you could either way send the Link to this file directly (it doesn’t matter wether the user is logged in or not) or you send it with the Invoice and wait for the user to klick on it.
Here is the POC i sent in to the Paypal bug bounty team :
If you have have questions on this particular case please don’t hesitate to contact me at patrik.fehrenbach(at)it-securityguard.com
All the best
Dear followers, i found a reflected Cross Site Scripting issue on the new Paypal Directory service (https://www.paypal.com/directory/merchants), with the following Payload:
&q=509%22%20src=%22http://www.example.com/exploit509.js%20%3C script %3E alert %281%29%3C/ script %3E
The vulnerable Parameter was the q? Parameter, i was able to break the script contex of the page, i think it was because of the &q Parameteter, but i am not sure Paypal fixed this issue to fast so i couldn’t analyze it more in depth :/
https://www.paypal.com/directory/merchants?q=&q=509%22%20src=%22http://www.example.com/exploit509.js%20%3C script %3E alert %281%29%3C/ script %3E
Here is my POC i sent in to Paypal : hope you enjoyed! If you have any kind of question please don’t hesitate to ask me, either way here or via email at patrik.fehrenbach(at)it-securityguard.com All the best Patrik
today i want to share a short story of a bug i found on one of prezi’s subdomains called mailroom.prezi.com.The Webserver at http://mailroom.prezi.com is configured to redirect the Users to the Login Page of Prezi, so far so good, i found out that if you add a Domain lets say http://mailroom.prezi.com/.anydomain.com to the end of the URL it redirects to https://mailroom.prezi.com.anydomain.test,
to validate this one i created a new Subdomain called mailroom.prezi.com.it-securityguard.com, so if an attacker sets up a valid https cloned site of the actual login page a request on http://mailroom.prezi.com/.it-securityguard.com will redirect the user to https://mailroom.prezi.com.it-securityguard.com (the attacker owned domain).
This issue was worth 500$ of cash reward. The Prezi Team as always fixed this issue in less than 24 hours, heads up for this nice and skilled security team.
hope you enjoyed.